MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6
SHA3-384 hash: 7c4687cec612bde8e4294fa55d22b3239b13ae8cd65814da4b96396084a87e3c287b30c1d605591c0e2533ace02d40cf
SHA1 hash: f7a20997390b29662e129e2eec55f20221a46074
MD5 hash: 848b7b08d9dd9db1bc3e27522354a643
humanhash: echo-cup-fruit-nevada
File name:SALES.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:896'512 bytes
First seen:2021-02-02 07:47:22 UTC
Last seen:2021-02-02 09:31:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:8Br2cA2zTKI5/DX85JopCntoGw6YQv2Wyrri/9aola/w9U9tpwAPxYxhGF22DbKy:8BjeI5/DM5JjOGw6WnwRlamyD0T2i
Threatray 2 similar samples on MalwareBazaar
TLSH 01152CA5F1A4CCDADC6706B1BC3A593024A3BD9D54A4811C56DE7B172AB338220DFF1B
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: mastersealandlogistics2@gmail.com
Subject: Morning report February,02nd 2021
Attachment: SALES.Z (contains "SALES.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SALES.exe
Verdict:
Malicious activity
Analysis date:
2021-02-02 07:55:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3df94629-06a6-4394-9716-c8ffde480c05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115071/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/596234
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 347156 Sample: SALES.exe Startdate: 02/02/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 6 other signatures 2->48 7 SALES.exe 3 2->7         started        11 I$s#$lT3ssl.exe 3 2->11         started        process3 file4 28 C:\Users\user\AppData\Local\...\SALES.exe.log, ASCII 7->28 dropped 50 Writes to foreign memory regions 7->50 52 Injects a PE file into a foreign processes 7->52 13 powershell.exe 15 7->13         started        17 InstallUtil.exe 15 2 7->17         started        54 Allocates memory in foreign processes 11->54 20 InstallUtil.exe 2 11->20         started        22 powershell.exe 15 11->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 13->30 dropped 32 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 13->32 dropped 56 Drops PE files to the startup folder 13->56 58 Powershell drops PE file 13->58 24 conhost.exe 13->24         started        34 checkip.dyndns.org 17->34 36 checkip.dyndns.com 131.186.113.70, 49723, 49724, 49738 DYNDNSUS United States 17->36 40 2 other IPs or domains 17->40 38 checkip.dyndns.org 20->38 60 Tries to steal Mail credentials (via file access) 20->60 62 Tries to harvest and steal ftp login credentials 20->62 64 Tries to harvest and steal browser information (history, passwords, etc) 20->64 26 conhost.exe 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 07:48:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ywthgpapreijhun6rav6wb5wj4em34ianj3e2s6m2yd7giyll3a._file
Verdict:
unknown
Similar samples:
0c3d1e60a1f6caa8bc2c84704ccf93ff2096891b6b5693952f5417c5aa577ee1
SnakeKeylogger
ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
SnakeKeylogger
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger stealer
Link:
https://tria.ge/reports/210202-5zrbanjgee/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Beds Protector Packer
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/b991fca4-87d1-458a-be01-000beb689adf/
SH256 hash:
40d4d775760861b5b901cf280b4ca0d30d465045204c2f28df2a4a0e4d158712
MD5 hash:
01b0ce2eec178c4bec3b3e862b910aeb
SHA1 hash:
a13939b313e4138ef8f096fd2b9de6e2b09e450e
Link:
https://www.unpac.me/results/b991fca4-87d1-458a-be01-000beb689adf/
SH256 hash:
e9a92a3d9d9171b935c264803fb9263956ee7b9f903eeecf7cc4e39476219add
MD5 hash:
d403851bed84623ae8e3bcc7970a5653
SHA1 hash:
883afbe0182f0079c9ecf52234876bd61251d191
Link:
https://www.unpac.me/results/b991fca4-87d1-458a-be01-000beb689adf/
SH256 hash:
ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6
MD5 hash:
848b7b08d9dd9db1bc3e27522354a643
SHA1 hash:
f7a20997390b29662e129e2eec55f20221a46074
Link:
https://www.unpac.me/results/b991fca4-87d1-458a-be01-000beb689adf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 60184bb727ef6cc3745e8eff1cbbdb5b9d1019d44dcf88c93648f9fb8898dd74

SnakeKeylogger

Executable exe ee2d3399e07c48849e8df4415f583db278466f880353b26a5e66b03f99185af6

(this sample)

  
Dropped by
MD5 9b51299903680b54c81b87edcff9c6f6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115071/
  
Dropped by
SHA256 60184bb727ef6cc3745e8eff1cbbdb5b9d1019d44dcf88c93648f9fb8898dd74

Comments